Bump dependencies to address CVE-2026-24051 #565
Description
Summary
CVE-2026-24051 (NVD | GitHub Advisory GHSA-9h8m-3fm2-qjrq) is a Path Hijacking vulnerability in go.opentelemetry.io/otel/sdk affecting versions v1.20.0–v1.39.0. The vulnerable code in sdk/resource/host_id.go executes the ioreg system command using a relative search path on macOS/Darwin. An attacker who can locally modify the PATH environment variable can achieve Arbitrary Code Execution within the context of the application. The fix is available in v1.40.0.
Affected Releases
While go.opentelemetry.io/otel/sdk does not appear as a direct or explicit indirect dependency in go.mod, a go mod graph analysis reveals it is pulled in transitively on both active release branches:
release-1.14 — transitive path via:
google.golang.org/grpc@v1.69.2→go.opentelemetry.io/otel/sdk@v1.31.0k8s.io/apiserver@v0.33.0→go.opentelemetry.io/otel/sdk@v1.33.0k8s.io/component-base@v0.33.1→go.opentelemetry.io/otel/sdk@v1.33.0
release-2.1 — transitive path via:
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.64.0→go.opentelemetry.io/otel/sdk@v1.39.0go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.64.0→go.opentelemetry.io/otel/sdk@v1.39.0go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.39.0→go.opentelemetry.io/otel/sdk@v1.39.0google.golang.org/grpc@v1.78.0→go.opentelemetry.io/otel/sdk@v1.38.0k8s.io/apiserver@v0.35.0→go.opentelemetry.io/otel/sdk@v1.36.0k8s.io/component-base@v0.35.0→go.opentelemetry.io/otel/sdk@v1.36.0
All resolved versions fall within the vulnerable range (v1.20.0–v1.39.0).
Request
Is there a plan to bump go.opentelemetry.io/otel/sdk (and related OTel packages) to v1.40.0+ on the active release branches?
References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24051
- GitHub Advisory: GHSA-9h8m-3fm2-qjrq
- OTel Go fix: https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md